none
RSACryptoServiceProvider import key pair into singature slot RRS feed

  • Question

  • Hi @all,

     

    I have a problem using the RSACryptoServiceProvider to import a key pair. I’ using the following method:

     

           public static void StoreKeyInContainer(KeyNumber theKeyNumber, String theXmlKeyPair)

           {

               CspParameters  parms;

               RSACryptoServiceProvider rsa;

     

               parms  = new CspParameters(1);

               parms.Flags  = CspProviderFlags.UseMachineKeyStore;

               parms.KeyContainerName = “Test”;

               parms.KeyNumber   = (Int32) theKeyNumber;

     

               rsa = new RSACryptoServiceProvider(parms);

               rsa.FromXmlString(theXmlKeyPair);

           }

     

    When setting the theKeyNumber parameter to KeyNumber.Exchange everything semms to be fine. But when I set theKeyNumber parameter to KeyNumber.Signature the key pair is imported to the KeyNumber.Exchange slot just a I haven’t set the KeyNumber parameter. So the simple question is what I’m doing wrong here? I need a way to import a key into the KeyNumber.Exchange slot for signing and verification purpose.

    Another problem I encountered is that I can re-export a key pair (public and private key) I imported this way. How can I deny the export of the private key?

     

    Thanks in advance,

    Carsten

    Thursday, April 15, 2010 12:34 PM

Answers

  • Hi Carsten,

     

    As you found, RSACryptoServiceProvider is hard-coded to use CALG_RSA_KEYX for importing RSA parameters .

     

    As a workaround, we may import a raw CAPI key blob into either key number. But there is no managed API for this purpose, so we have to do it ourselves, the format is documented here , set the aiKeyAlgID field of the BLOBHEADER to either CALG_RSA_KEYX or CALG_RSA_SIGN we can pick which portion of the key container our blob will go into.

     


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com .
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by cgruenzner Friday, April 30, 2010 8:27 AM
    Wednesday, April 21, 2010 1:26 AM

All replies

  • Hi,

     

    I'm sorry, but how did you check whetherKeyNumber.Exchange slot (or KeyNumber.Signatureslot ) has been set?

     

    For the second question, you may create a un-exportable machine-levelkey container with command:

     

    aspnet_regiis -pc "MyKeys"

     

    Please feel free to let me know if I have any misunderstanding.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Friday, April 16, 2010 10:22 AM
  • Hi Eric,

     

    first of all thank you for your reply.

     

    I’m importing an exchange and a signature key pair into the same key container. First the exchange key, then the signature key. When I’m trying to use the exchange key I’m breaking into the VS Debugger and call the ToXmlString() method of theRSACryptoServiceProvider in the Immediate window. The displayed key is the signature key (the 2nd imported key pair). Doing the same when I’m trying the use the signature key the exported key pair does neither match my export key pair, nor does it match my signature key pair. It is a random generated new key.

     

    The aspnet_iisreg.exe is not a solution, since as far as I know it does not set the signature key pair, but the export key pair. I have not seen an option to set the key slot. Did I overlooked something? Using the sn.exe I can address the signature slot, but I think sn.exe can't handle the xml key pair files and I don't want to assume that both tools are installed on the target machine. So I need a code solution.

     

    Sincerely,

    Carsten

    Friday, April 16, 2010 11:02 AM
  • Hi Carsten,

     

    As you found, RSACryptoServiceProvider is hard-coded to use CALG_RSA_KEYX for importing RSA parameters .

     

    As a workaround, we may import a raw CAPI key blob into either key number. But there is no managed API for this purpose, so we have to do it ourselves, the format is documented here , set the aiKeyAlgID field of the BLOBHEADER to either CALG_RSA_KEYX or CALG_RSA_SIGN we can pick which portion of the key container our blob will go into.

     


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com .
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    • Marked as answer by cgruenzner Friday, April 30, 2010 8:27 AM
    Wednesday, April 21, 2010 1:26 AM
  • Hi Eric,

     

    thank you for your answer, that explains the odd behavior. I just checked if in the Framework 4.0 has changed something, but unfortunately  nothing has changed. Do you think it is worth submitting a bug report or is it “by design”? If it is by design, can you explain the reasons?

     

    Sincerely,

    Carsten

    Friday, April 30, 2010 8:27 AM